Re: [Full-Disclosure] Privilege escalation flaw in MDaemon 7.2.

From: kf_lists (kf_lists_at_secnetops.com)
Date: 11/30/04

  • Next message: thefinn: "Re: [Full-Disclosure] Is www.sco.com hacked Ethical?"
    Date: Tue, 30 Nov 2004 01:33:05 -0500
    
    

    When I tested things it was on MDaemon 6.8

    Excuse me... they did respond and it was LESS than a year ago. =]. Here
    is how it went:
    ------------------------------------------------------
    02/03/2004 11:10 AM

    Hello!

    I have sent this on to the developers.

    However, the issue you describe would require a user to have a valid
    login and physical access to the machine. With both of those, they can
    login to the server and access the MDaemon GUI, which can also be
    further secured with a password. I'm not dismissing your submission,
    just providing feedback.

    If you have any questions, please let us know. Thanks!

    -- Billy Pinson Customer Service Lead Alt-N Technologies, Ltd. Helping
    The World Communicate! http://www.altn.com
    -------------------------------------------------------------- MDaemon
    7.0 is coming! Faster multi-thread/multi-CPU server engine, market
    leading spam control, improved mobile and PDA support, enhanced
    security, and killer OWA style web mail.
    --------------------------------------------------------------

    -------------------------------------------------
    02/04/2004 06:33 PM

    Thanks much... any time estimate on the fix? It sounds as if it may have
    a low priority since its being added to a list.

    -KF

    Alt-N Sales - Billy Pinson wrote:

    > One thing the developers have suggested in the mean time is to change
    > the service so that it can not interact with the desktop, this would
    > prevent the GUI from showing up.
    >
    > If you need GUI access simply run the MDaemon ghost option. This will
    > launch the GUI under the users account, rather than the system account.
    >
    > They have placed this on their list of things to be fixed.
    >
    -------------------------------------------------
    03/18/2004 10:11 PM
    Alt-N Sales - Lina Daaboul wrote:

    > Hello,
    >
    > We do not have an estimated time at this time.
    > If you have any questions, please let us know. Thanks!
    >
    -KF

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: thefinn: "Re: [Full-Disclosure] Is www.sco.com hacked Ethical?"